The first line of defense is limiting the access for the user and the apps. Unlike Android, which presents little to no resistance for sideloading apps from the internet, Apple’s iOS is walled off. You can only install apps from the App Store (unless you jailbreak your device, but that’s a fringe case). The official catalog is closely vetted, approved, and monitored, so the risk of infection from an app — primarily how phones contract viruses and other malware — is already incredibly minuscule.
Then, it’s the architecture of iOS, the operating system powering the iPhone. Modern smartphones, whether Android or iPhone, run on the Sandboxing model. It’s a simple and elegant approach to security and privacy.
Essentially, every app on the iPhone (native or third-party) is isolated or “sandboxed” into a separate process. Once sandboxed, apps cannot read or interact with other apps without permission (via Apple). They don’t have access to system resources (phone, camera, GPS, and such) until you grant it. If you’ve ever paid attention to apps requesting permissions with popup prompts, application sandboxing is why.
Now imagine a malicious app making its way onto your iPhone. It’ll not be able to do any damage since it’s sandboxed and sitting in the dark. It cannot harvest any data (your phone, messages, emails, or payment info) or replicate itself like a virus because it was never allowed access, neutralizing the threat (via Google).